Security Forecast 'Cloudy' at Interop LV 2010

Speed made headlines again at Interop LV 2010, the 23-year-old conference devoted to infrastructure that makes the Internet tick. This year, attendees couldn't move without bumping into a 10GigE switch or some other furiously fast data center device. With a multitude of virtualized services migrating into "the cloud," Sun's prescient vision has finally come to pass: The network really is the computer.

This year's show focused on core network innovations that make clouds possible. But, for security folk, clouds pose new threats and opportunities. Dedicated, on-prem devices may be tough to secure  but they're all yours. On the other hand, cloud services must be logically configured, often from afar, powered by (possibly shared) platforms you've never seen. Interop attendees explored this increasingly cloudy forecast  and glimpsed the latest gear designed to support it.

What you can't see...

According to Network Instruments, 41 percent of surveyed attendees already ran some kind of Software-as-a-Service (SaaS)  most often Salesforce.com or Google Apps. Another 19 percent reported using Infrastructure-as-a-Service (IaaS), like Amazon's Elastic Compute Cloud. Why adopt these cloud services? One third said to cut costs; another 30 percent sought more flexibility to react to business changes.

While Interop attendees may be more inclined than your average IT guy to use network-based virtual services, cloud providers and platform vendors clearly need to reach out and comfort those who will be responsible for administering and securing cloud initiatives. Several did just that during Interop conference sessions.

Look before you leap

This year's sessions ran the gamut from cloud computing, virtualization, and app delivery 2.0 to networking, storage, and unified communication. Security issues were sprinkled throughout, but served as the focal point for two tracks: one on governance and compliance, another on IT security and risk management.

In the latter, Brian Contos, Chief Security Strategist at Imperva, discussed "Data Security in the Cloud." Technologies that have long secured our networks -- ACLs, firewalls, IDS, VPN, anti-virus -- are not defending us from attacks like cross-site scripting and SQL injection, he said. Cloud services exacerbate these existing threats.

"When you move data into the cloud, it becomes easier to attack multiple targets at once," said Contos. "A successful attack can bring down an entire service. It can impact many more [companies and users], so the risks around financially-motivated attacks are amplified."

But Contos argued that clouds can also reduce risk through more effective network-based defenses. "You can do reputation-based security really well in the cloud. You can do virtual patching there more efficiently. You can unify data and network-centric controls [inside the cloud]," he said. A good cloud service provider can also deliver faster incident response, using a deeper talent pool.

Chris Richter, VP of Security Services at Savvis, said clouds raise security concerns in part because services are so varied. "You've got multiple models, multiple vendors, and multiple policies. Some providers dont reveal their policies or architectures or even allow vulnerability scans," said Richter. "Security auditors are understandably worried."

Security standards are being drafted by organizations like the PCI Security Standards Council and the Federal Cloud Computing Advisory Council. But enterprises also need to adopt more methodical approaches to secure cloud deployment. Specifically, Richter recommends the following steps:

Like Contos, Richter said a well-designed cloud should incorporate security. "Data is the ultimate prize, so Web app [and database] firewalls in the cloud are very important to stop ports 80 and 443 from becoming gaping holes," he said. But buyers must become informed, ask questions, and walk away from services that don't meet their needs. For example, when deploying a service subject to compliance audits, "If you cant scan your [cloud hosted] environment, you have to look elsewhere," said Richter.

SonicWALL announced Project SuperMassive (above), a data center firewall that combines reassembly-free deep packet inspection with threat intelligence gathered from 1.5 million deployed devices, running in a 4U chassis equipped with up to 20 Cavium 12-core CPUs. The result: a furiously fast box that performs full unified threat management (UTM) at throughputs up to 13 Gbps with just 400 milliseconds of latency. With SuperMassive, 10GigE network operators don't have to choose between performance and reputation-based, application-layer threat prevention.

McAfee used Interop to announce Firewall Enterprise 8, a feature update to the SideWinder acquired from SecureComputing. This proxy firewall has always been application-aware, but FE8 adds "any port" protection, meaning that it can now block SSH tunnels on port 53, etc. FE8 also leverages TrustedSource, McAfee's geo-location and reputation-based filtering service that uses cloud-sourced data from 100 million sensors to block emerging threats. For customers moving to virtual data centers, FE8 is now available as hardware, software, or a virtualized appliance.

German company gateProtect introduced its latest firewall at Interop: the GPZ-2500. This large enterprise UTM firewall combines 6 fiber ports, 18 GigE ports, VPN acceleration, redundant disks, and redundant power supplies to achieve 99.97% availability. The GPZ-2500 delivers up to 9 Gbps of firewall throughput, dropping to 1.1 Gbps with full UTM. GateProtect's "secret sauce" is its icon-driven ergonomic GUI. In multi-site or cloud deployments, the gateProtect Command Center can manage 500 gateProtect UTM firewalls, using eGUI drag-and-drop and visual rules to simplify accurate configuration.

Offering security as a service

Barracuda not only announced its own Next-Generation Firewall, but demonstrated its Purewire Web Security Service  a SaaS offering that inspects Web requests (local, remote, or mobile) for policy compliance and analyzes responses before letting them enter corporate networks. Depending on requirements, inspection can be performed by the provider's cloud or a CPE gateway. Focused on Web-borne threats, Purewire combines anti-virus signatures, AJAX-aware object analysis, and behavioral analysis to block bots, spyware, and malicious Web apps that use HTTP/HTTPS.